[ssh_x509] Missing Something Fundamental

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri Mar 17 17:34:26 EET 2017


Roumen,

I went ahead and rebuilt the server and client machines and only
uncommented CACertificatePath in /opt/pkixssh/etc/sshd_config and added
Port 2222 on server.local and uncommented CACertificatePath in
/opt/pkixssh/etc/ssh_config on client.local only.

I also ran p11too on client.local and here's the output:

[sc_jose at client ~]$ p11tool --provider=/usr/lib64/libcoolkeypk11.so
--list-tokens
Token 0:
URL: pkcs11:model=;manufacturer=;serial=;token=sc_jose
Label: sc_jose
Type: Hardware token
Manufacturer:
Model:
Serial:

[sc_jose at client ~]$ p11tool --provider=/usr/lib64/libcoolkeypk11.so --info
Object 0:
URL:
pkcs11:model=;manufacturer=;serial=;token=sc_jose;id=%00%01;object=PIV%20ID%20Certificate;object-type=private
Type: Private key
Label: PIV ID Certificate
Flags: CKA_SENSITIVE;
ID: 00:01

Object 1:
URL:
pkcs11:model=;manufacturer=;serial=;token=sc_jose;id=%00%01;object=PIV%20ID%20Certificate;object-type=public
Type: Public key
Label: PIV ID Certificate
ID: 00:01

Object 2:
URL:
pkcs11:model=;manufacturer=;serial=;token=sc_jose;id=%00%01;object=PIV%20ID%20Certificate;object-type=cert
Type: X.509 Certificate
Label: PIV ID Certificate
ID: 00:01

[sc_jose at client ~]$ p11tool --provider=/usr/lib64/libcoolkeypk11.so
--list-all-certs
Object 0:
URL:
pkcs11:model=;manufacturer=;serial=;token=sc_jose;id=%00%01;object=PIV%20ID%20Certificate;object-type=cert
Type: X.509 Certificate
Label: PIV ID Certificate
ID: 00:01

[sc_jose at client ~]$ p11tool --provider=/usr/lib64/libcoolkeypk11.so
--list-mechanisms
[0x0001] CKM_RSA_PKCS

As you can see, there's private key, public key, and X.509 certificate.

Here's the output of server.local:

[root at server etc]# /opt/pkixssh/sbin/sshd -D -d
debug1: ssh_set_validator: ignore responder url
debug1: sshd version PKIX-SSH 10.0, OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11
Feb 2013
debug1: read PEM private key begin
debug1: read X.509 certificate begin
debug1: private host key #0: ssh-rsa
SHA256:FWp7dgXg4zYYyQcX032/ct5vcaa1TI+s6Xd9dc5TaIo
debug1: read PEM private key begin
debug1: read X.509 certificate begin
debug1: private host key #1: ssh-dss
SHA256:aM6EX1ct4Z7g3d1pmAPyy1bzFKaeFn43G+6jKhcFAvM
debug1: read PEM private key begin
debug1: read X.509 certificate begin
debug1: private host key #2: ecdsa-sha2-nistp256
SHA256:TlJio4dCL+yIF9ynbRcPB6jhjOP/AmIMAtELFNtZzYQ
debug1: private host key #3: ssh-ed25519
SHA256:xCrWf09JSVwz2WWAtSTc4m5ubzFYCysBeI/QtqHfBd8
debug1: rexec_argv[0]='/opt/pkixssh/sbin/sshd'
debug1: rexec_argv[1]='-D'
debug1: rexec_argv[2]='-d'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.240.136 port 45926 on 192.168.240.135 port 2222
debug1: Client protocol version 2.0; client software version OpenSSH_7.4
PKIX[10.0]
debug1: match: OpenSSH_7.4 PKIX[10.0] pat OpenSSH* compat 0x04000000
debug1: x.509 compatibility rfc6187_missing_key_identifier=no: pattern
'OpenSSH*PKIX[??.*' match 'OpenSSH_7.4 PKIX[10.0]'
debug1: x.509 compatibility rfc6187_asn1_opaque_ecdsa_signature=no: pattern
'OpenSSH*PKIX[??.*' match 'OpenSSH_7.4 PKIX[10.0]'
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4 PKIX[10.0]
debug1: permanently_set_uid: 74/74 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
[preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user sc_jose service ssh-connection method
none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: userauth-request for user sc_jose service ssh-connection method
publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for
RSA+cert SHA256:FjI0rKTF2Qle8y0wcMqIgFlYCWvycRRWk0j1mfY9Wdg [preauth]
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/sc_jose/.ssh/authorized_keys
debug1: Could not open authorized keys
'/home/sc_jose/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for sc_jose from 192.168.240.136 port 45926 ssh2: RSA+cert
SHA256:FjI0rKTF2Qle8y0wcMqIgFlYCWvycRRWk0j1mfY9Wdg
debug1: userauth-request for user sc_jose service ssh-connection method
keyboard-interactive [preauth]
debug1: attempt 2 failures 1 [preauth]
debug1: keyboard-interactive devs  [preauth]
debug1: auth2_challenge: user=sc_jose devs= [preauth]
debug1: kbdint_alloc: devices '' [preauth]
debug1: userauth-request for user sc_jose service ssh-connection method
password [preauth]
debug1: attempt 3 failures 2 [preauth]
Accepted password for sc_jose from 192.168.240.136 port 45926 ssh2
debug1: monitor_child_preauth: sc_jose has been authenticated by privileged
process
debug1: monitor_read_log: child log fd closed
User child is on pid 11083
debug1: permanently_set_uid: 1000/1000
debug1: rekey after 134217728 blocks
debug1: rekey after 134217728 blocks
debug1: ssh_packet_set_postauth: called
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max
16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype no-more-sessions at openssh.com
want_reply 0
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: session 0
debug1: session_pty_req: session 0 alloc /dev/pts/1
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
Starting session: shell on pts/1 for sc_jose from 192.168.240.136 port
45926 id 0
debug1: Setting controlling tty using TIOCSCTTY.
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 11084
debug1: session_exit_message: session 0 channel 0 pid 11084
debug1: session_exit_message: release channel 0
debug1: session_by_tty: session 0 tty /dev/pts/1
debug1: session_pty_cleanup: session 0 release /dev/pts/1
Received disconnect from 192.168.240.136 port 45926:11: disconnected by user
Disconnected from 192.168.240.136 port 45926
debug1: do_cleanup
debug1: do_cleanup
[root at server etc]#

Here's the output of client.local:
[sc_jose at client ~]$ /opt/pkixssh/bin/ssh -p 2222 -I
/usr/lib64/libcoolkeypk11.so sc_jose at 192.168.240.135 -v
PKIX-SSH 10.0, OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Can't process default engine config file: No such file or directory
debug1: Reading configuration data /opt/pkixssh/etc/ssh_config
debug1: ssh_set_validator: ignore responder url
debug1: Connecting to 192.168.240.135 [192.168.240.135] port 2222.
debug1: Connection established.
debug1: provider /usr/lib64/libcoolkeypk11.so: manufacturerID <Mozilla
Foundation> cryptokiVersion 2.11 libraryDescription <CoolKey PKCS #11
Module     > libraryVersion 1.0
debug1: provider /usr/lib64/libcoolkeypk11.so slot 0: label <sc_jose>
manufacturerID < > model < > serial < > flags 0x40e
debug1: have 1 keys
debug1: key_load_public: No such file or directory
debug1: identity file /home/sc_jose/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sc_jose/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sc_jose/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sc_jose/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sc_jose/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sc_jose/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sc_jose/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sc_jose/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4 PKIX[10.0]
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
PKIX[10.0]
debug1: match: OpenSSH_7.4 PKIX[10.0] pat OpenSSH* compat 0x04000000
debug1: x.509 compatibility rfc6187_missing_key_identifier=no: pattern
'OpenSSH*PKIX[??.*' match 'OpenSSH_7.4 PKIX[10.0]'
debug1: x.509 compatibility rfc6187_asn1_opaque_ecdsa_signature=no: pattern
'OpenSSH*PKIX[??.*' match 'OpenSSH_7.4 PKIX[10.0]'
debug1: Authenticating to 192.168.240.135:2222 as 'sc_jose'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:TlJio4dCL+yIF9ynbRcPB6jhjOP/AmIMAtELFNtZzYQ
debug1: checking without port identifier
The authenticity of host '[192.168.240.135]:2222 ([192.168.240.135]:2222)'
can't be established.
ECDSA key fingerprint is SHA256:TlJio4dCL+yIF9ynbRcPB6jhjOP/AmIMAtELFNtZzYQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.240.135]:2222' (ECDSA) to the list of
known hosts.
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA+cert public key: /usr/lib64/libcoolkeypk11.so
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Trying private key: /home/sc_jose/.ssh/id_rsa
debug1: Trying private key: /home/sc_jose/.ssh/id_dsa
debug1: Trying private key: /home/sc_jose/.ssh/id_ecdsa
debug1: Trying private key: /home/sc_jose/.ssh/id_ed25519
no such identity: /home/sc_jose/.ssh/id_ed25519: No such file or directory
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
sc_jose at 192.168.240.135's password:
debug1: pkcs11_provider_unref: 0x7f8ec9629870 refcount 2
debug1: Authentication succeeded (password).
Authenticated to 192.168.240.135 ([192.168.240.135]:2222).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions at openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00 at openssh.com
want_reply 0
Last login: Fri Mar 17 10:25:32 2017 from 192.168.240.136
Environment:
  USER=sc_jose
  LOGNAME=sc_jose
  HOME=/home/sc_jose
  PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/pkixssh/bin
  MAIL=/var/mail/sc_jose
  SHELL=/bin/bash
  SSH_CLIENT=192.168.240.136 45926 2222
  SSH_CONNECTION=192.168.240.136 45926 192.168.240.135 2222
  SSH_TTY=/dev/pts/1
  TERM=xterm
[sc_jose at server ~]$ exit
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0
logout
debug1: channel 0: free: client-session, nchannels 1
Connection to 192.168.240.135 closed.
Transferred: sent 4096, received 3220 bytes, in 1.4 seconds
Bytes per second: sent 2891.9, received 2273.4
debug1: Exit status 0
[sc_jose at client ~]$

Both machines have the root and intermediate certs hashed in
/opt/pkixssh/etc/ca/crt. Both certs are in PEM format. Both machines have
sc_jose as a local account. The CN on the cert is sc_jose.

Still no PIN prompt.

It seems /opt/pkixssh/bin/ssh -p 2222 -I /usr/lib64/libcoolkeypk11.so
sc_jose at 192.168.240.135 -v is offering the smart card's public key to the
server? This is not what I want. I want to use the X.509 cert on the smart
card.

Below is the snippet from the public key offering:

>From server.local: debug1: userauth_pubkey: test whether pkalg/pkblob are
acceptable for RSA+cert SHA256:FjI0rKTF2Qle8y0wcMqIgFlYCWvycRRWk0j1mfY9Wdg
[preauth]
>From client.local: debug1: Offering RSA+cert public key:
/usr/lib64/libcoolkeypk11.so

How do I tell /opt/pkixssh/bin/ssh -p 2222 -I /usr/lib64/libcoolkeypk11.so
sc_jose at 192.168.240.135 -v to use the X.509 on the smart card?


On Wed, Mar 15, 2017 at 5:57 PM, <ssh_x509 at roumenpetrov.info> wrote:

> Hi Jose ,
> ssh_x509 at roumenpetrov.info wrote:
>
>> Greetings.
>>
>> It seems I’m missing something fundamental in getting X.509 certificates
>> to
>> work with PIN prompt. Below are the steps I used to try to get X.509 with
>> PIN prompt to work.
>>
>> 1) Create 2 machines and install latest CentOS 7 minimal ISO. One machine
>> is called server.local, the other called client.local
>> 2) Get latest PKIXSSH tarball for both machined
>> 3) Run ./configure —prefix=/opt/pkixssh —enable-pkcs11 on both machines
>>
> enable-pkcs11 was removed long time ago.
>
> 4) Run make install on both machines
>> 5) Run yum install opensc
>> 6) Plug in USB smart card reader and run opensc-tool -l and opens-tool -n
>> on client.local machine to confirm cert on card
>> 7) Copy root and intermediate certs to /opt/pkixssh/etc/ca/crt directory
>> and run openssl x509 -noout -hash -in <root|intermediate> certs. Run ln -s
>> root.crt <hash>.0 and ln -s int.crt <hash>.0 on both machines
>> 8) Edit server.local /opt/pkixssh/etc/sshd_config options explicity:
>> CACertificatePath /opt/pkixssh/etc/ca/crt, PubkeyAuthentication yes,
>> PasswordAuthentication no,  ChallengeResponseAuthentication no
>> 9) Edit client.local /opt/pkixssh/etc/ssh_config explicity:
>> CACertificatePath /opt/pkixssh/etc/ca/crt
>> 10) On server.local, create local account with same name as CN on
>> certificate
>> 10) On server.local, run /opt/pkixssh/sbin/sshd -D
>> 11) On client.local, run /opt/pkixssh/bin/ssh I
>> /usr/lib64/opensc-pkcs11.so
>> <server-local-account>@192.168.1.1
>>
> Everything sounds correct .
>
>> 12) I do not get a request to enter the PIN for the smart card
>>
>> [SNIP]
>> Does anyone have a working sshd_config.conf and ssh_config.conf working
>> with X.509 and prompts for the PIN on the smart card?
>>
> Server or client configuration is not related to 'pin prompt'.
> Right now I have no idea way PIN prompt does not work.
>
>
> If need be, I can post the entire sshd_config.conf and ssh_config.conf
>> files.
>>
>> Thanks for the help!
>>
>> Jose
>>
>
> Roumen
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>



More information about the ssh_x509 mailing list